Lewis Peckover yesterday announced that he had discovered that O2 were sending a users mobile phone number in HTTP headers to websites. He setup a test website to prove the theory, and thousands of users discovered that they were also affected.
There was huge uproar in the press and by Twitter users, the problem seemed exclusively linked to O2, and the immediate response from O2 was that they were looking into it.
O2 now has an official response, posted on their blog, detailing that the mobile number of an O2 customer was indeed passed to certain websites, but only “with certain trusted partners” although apparently between 10th of January and 14.00 today (Wednesday 25th of January) there has been the potential for disclosure of customers’ mobile phone numbers to further websites.
So clearly some security setting was inadvertently changed and the mobile number HTTP header was suddenly being sent to all websites, not just the trusted partner ones. The big question Has it been stopped? is categorically answered with Yes, as of 14.00 today. This seems to be confirmed by Lewis and others.
So, what’s the fall out from this? Its unfortunate the error exposing the number to all websites went on for as long as it did, but it looks to have been an accident, and certainly isn’t O2 policy.
The bigger issue is that we need more detail on these trusted partners, who they are and how much use they can make by being able to link specific mobile numbers across multiple websites from an advertising/marketing standpoint. There doesn’t appear to be an opt-out process (although its likely one will appear now) and many customers will be unhappy at the lack of disclosure that this was happening.